Navigation

← Previous Changeset
Next Changeset →

Changeset 1375

Timestamp:

09/30/08 06:20:06 (2 months ago)

Author:

wichert

Message:

Include the gateway id in the firewall table names. Fixes #466

Files:

trunk/wifidog/ChangeLog (modified) (1 diff)
trunk/wifidog/src/fw_iptables.c (modified) (6 diffs)
trunk/wifidog/src/fw_iptables.h (modified) (1 diff)
trunk/wifidog/wifidog.conf (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/wifidog/ChangeLog

r1374	r1375
2	2
3	3	2008-09-30 Wichert Akkerman <wichert@wiggy.net>
	4	* Include the gateway id in the firewall table names. Fixes ticket #466
4	5	* URL encode the token before transmitting (it was already decoded).
5	6	Fixes ticket #473

trunk/wifidog/src/fw_iptables.c

r1373	r1375
60	60	static int fw_quiet = 0;
61	61
	62	/** @internal
	63	* @brief Insert $ID$ with the gateway's id in a string.
	64	*
	65	* This function can replace the input string with a new one. It assumes
	66	* the input string is dynamically allocted and can be free()ed safely.
	67	*
	68	* This function must be called with the CONFIG_LOCK held.
	69	*/
	70	static void
	71	iptables_insert_gateway_id(char **input)
	72	{
	73	char *token;
	74	const s_config *config;
	75	char *buffer;
	76
	77	if (strstr(*input, "$ID$")==NULL)
	78	return;
	79
	80
	81	while ((token=strstr(*input, "$ID$"))!=NULL)
	82	/* This string may look odd but it's standard POSIX and ISO C */
	83	memcpy(token, "%1$s", 4);
	84
	85	config = config_get_config();
	86	safe_asprintf(&buffer, *input, config->gw_id);
	87
	88	free(*input);
	89	*input=buffer;
	90	}
	91
62	92	/** @internal
63	93	* */
…	…
65	95	iptables_do_command(const char *format, ...)
66	96	{
67		va_list vlist;
68		char *fmt_cmd,
69		*cmd;
70		int rc;
71
72		va_start(vlist, format);
73		safe_vasprintf(&fmt_cmd, format, vlist);
74		va_end(vlist);
75
76		safe_asprintf(&cmd, "iptables %s", fmt_cmd);
77
78		free(fmt_cmd);
79
80		debug(LOG_DEBUG, "Executing command: %s", cmd);
81
82		rc = execute(cmd, fw_quiet);
83
84		if (rc!=0)
85		debug(LOG_ERR, "iptables comand tailed: %s", cmd);
86
87		free(cmd);
88
89		return rc;
	97	va_list vlist;
	98	char *fmt_cmd;
	99	char *cmd;
	100	int rc;
	101
	102	va_start(vlist, format);
	103	safe_vasprintf(&fmt_cmd, format, vlist);
	104	va_end(vlist);
	105
	106	safe_asprintf(&cmd, "iptables %s", fmt_cmd);
	107	free(fmt_cmd);
	108
	109	iptables_insert_gateway_id(&cmd);
	110
	111	debug(LOG_DEBUG, "Executing command: %s", cmd);
	112
	113	rc = execute(cmd, fw_quiet);
	114
	115	if (rc!=0)
	116	debug(LOG_ERR, "iptables comand failed: %s", cmd);
	117
	118	free(cmd);
	119
	120	return rc;
90	121	}
91	122
…	…
190	221	{
191	222	const s_config *config;
192		~~char * gw_interface = NULL;~~
193		~~char * gw_address = NULL;~~
194	223	char * ext_interface = NULL;
195	224	int gw_port = 0;
196	225	t_trusted_mac *p;
197
	226
198	227	fw_quiet = 0;
199	228
200		LOCK_CONFIG();
201		config = config_get_config();
202		gw_interface = safe_strdup(config->gw_interface);
203		gw_address = safe_strdup(config->gw_address);
204		gw_port = config->gw_port;
205		if (config->external_interface) {
206		ext_interface = safe_strdup(config->external_interface);
207		} else {
208		ext_interface = get_ext_iface();
209		}
210		UNLOCK_CONFIG();
211
	229	LOCK_CONFIG();
	230	config = config_get_config();
	231	gw_port = config->gw_port;
	232	if (config->external_interface) {
	233	ext_interface = safe_strdup(config->external_interface);
	234	} else {
	235	ext_interface = get_ext_iface();
	236	}
	237
212	238	if (ext_interface == NULL) {
	239	UNLOCK_CONFIG();
213	240	debug(LOG_ERR, "FATAL: no external interface");
214		~~/* XXX leaks safe_strdup()'d strings */~~
215	241	return 0;
216	242	}
217		/*
218		*
219		* Everything in the MANGLE table
220		*
221		*/
222
223		/* Create new chains */
224		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
225		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
226		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);
227
228		/* Assign links and rules to these new chains */
229		iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
230		iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);//this rule will be inserted before the prior one
231		iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, gw_interface);
232
233		for (p = config->trustedmaclist; p != NULL; p = p->next)
234		iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);
235
236		/*
237		*
238		* Everything in the NAT table
239		*
240		*/
241
242		/* Create new chains */
243		iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
244		iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
245		iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
246		iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
247		iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
248		iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
249
250		/* Assign links and rules to these new chains */
251		iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
252
253		iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, gw_address);
254		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
255
256		iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
257		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
258		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
259		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
260
261		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
262		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
263		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
264
265
266		/*
267		*
268		* Everything in the FILTER table
269		*
270		*/
271
272		/* Create new chains */
273		iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
274		iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
275		iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
276		iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
277		iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
278		iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
279		iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
280
281		/* Assign links and rules to these new chains */
282
283		/* Insert at the beginning */
284		iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
285
286
287		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
288
289		/* XXX: Why this? it means that connections setup after authentication
290		stay open even after the connection is done...
291		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
292
293		//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
294		//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
295
296		/* TCPMSS rule for PPPoE */
297		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
298
299		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
300		iptables_fw_set_authservers();
301
302		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
303		iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
304
305		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
306		iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
307		iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
308
309		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
310		iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
311
312		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
313		iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
314
315		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
316		iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
317		iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
318
319		free(gw_interface);
320		free(gw_address);
321
322		return 1;
	243	/*
	244	*
	245	* Everything in the MANGLE table
	246	*
	247	*/
	248
	249	/* Create new chains */
	250	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
	251	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
	252	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);
	253
	254	/* Assign links and rules to these new chains */
	255	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
	256	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one
	257	iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface);
	258
	259	for (p = config->trustedmaclist; p != NULL; p = p->next)
	260	iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);
	261
	262	/*
	263	*
	264	* Everything in the NAT table
	265	*
	266	*/
	267
	268	/* Create new chains */
	269	iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
	270	iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
	271	iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	272	iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
	273	iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
	274	iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
	275
	276	/* Assign links and rules to these new chains */
	277	iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
	278
	279	iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
	280	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
	281
	282	iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	283	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
	284	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
	285	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
	286
	287	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
	288	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
	289	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
	290
	291
	292	/*
	293	*
	294	* Everything in the FILTER table
	295	*
	296	*/
	297
	298	/* Create new chains */
	299	iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	300	iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
	301	iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
	302	iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
	303	iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
	304	iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
	305	iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
	306
	307	/* Assign links and rules to these new chains */
	308
	309	/* Insert at the beginning */
	310	iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
	311
	312
	313	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
	314
	315	/* XXX: Why this? it means that connections setup after authentication
	316	stay open even after the connection is done...
	317	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
	318
	319	//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
	320	//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
	321
	322	/* TCPMSS rule for PPPoE */
	323	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
	324
	325	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
	326	iptables_fw_set_authservers();
	327
	328	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
	329	iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
	330
	331	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
	332	iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
	333	iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
	334
	335	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
	336	iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
	337
	338	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
	339	iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
	340
	341	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
	342	iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
	343	iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
	344
	345	UNLOCK_CONFIG();
	346	return 1;
323	347	}
324	348
…	…
417	441
418	442	safe_asprintf(&command, "iptables -t %s -L %s -n --line-numbers -v", table, chain);
	443	iptables_insert_gateway_id(&command);
419	444
420	445	if ((p = popen(command, "r"))) {
…	…
491	516	/* Look for outgoing traffic */
492	517	safe_asprintf(&script, "%s %s", "iptables", "-v -n -x -t mangle -L " TABLE_WIFIDOG_OUTGOING);
	518	iptables_insert_gateway_id(&script);
493	519	output = popen(script, "r");
494	520	free(script);
…	…
529	555	/* Look for incoming traffic */
530	556	safe_asprintf(&script, "%s %s", "iptables", "-v -n -x -t mangle -L " TABLE_WIFIDOG_INCOMING);
	557	iptables_insert_gateway_id(&script);
531	558	output = popen(script, "r");
532	559	free(script);

trunk/wifidog/src/fw_iptables.h

r1373	r1375
32	32	/@{/
33	33	/*Iptable table names used by WifiDog /
34		#define TABLE_WIFIDOG_OUTGOING "WiFiDog_Outgoing"
35		#define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_WIFI2Internet"
36		#define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_WIFI2Router"
37		#define TABLE_WIFIDOG_INCOMING "WiFiDog_Incoming"
38		#define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_AuthServers"
39		#define TABLE_WIFIDOG_GLOBAL "WiFiDog_Global"
40		#define TABLE_WIFIDOG_VALIDATE "WiFiDog_Validate"
41		#define TABLE_WIFIDOG_KNOWN "WiFiDog_Known"
42		#define TABLE_WIFIDOG_UNKNOWN "WiFiDog_Unknown"
43		#define TABLE_WIFIDOG_LOCKED "WiFiDog_Locked"
44		#define TABLE_WIFIDOG_TRUSTED "WiFiDog_Trusted"
	34	#define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing"
	35	#define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet"
	36	#define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router"
	37	#define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming"
	38	#define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers"
	39	#define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global"
	40	#define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate"
	41	#define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known"
	42	#define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown"
	43	#define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked"
	44	#define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted"
45	45	/@}/
46	46

trunk/wifidog/wifidog.conf

r1369	r1375
7	7	#
8	8	# Set this to the node ID on the auth server
9		# this is used to give a customized login page to the clients and for
10		# monitoring/statistics purpose
	9	# This is used to give a customized login page to the clients and for
	10	# monitoring/statistics purpose. If you run multiple gateways on the same
	11	# machine each gateway needs to have a different gateway id.
11	12	# If none is supplied, the mac address of the GatewayInterface interface will be used,
12	13	# without the : separators

Navigation

Changeset 1375

Legend:

trunk/wifidog/ChangeLog

trunk/wifidog/src/fw_iptables.c

trunk/wifidog/src/fw_iptables.h

trunk/wifidog/wifidog.conf

Download in other formats: